|
|
|
|
New Member
|
|
Mar 27, 2008, 03:45 AM
|
|
Disable USB memory stick in the network
Dear
How I can disable usb memory stick in my company . I won't do that on network level not on user level
Can I do that in isa 2006??
Please advice
|
|
|
BossMan
|
|
Mar 27, 2008, 03:46 AM
|
|
You can use GPO to do this, BUT it would mean disabling USB connections completely.
The knock on of this would be NO USB Keyboards or mice.
|
|
|
New Member
|
|
Mar 27, 2008, 05:18 AM
|
|
I don't found it in GPO
Please clarify
|
|
|
Uber Member
|
|
Mar 27, 2008, 05:33 AM
|
|
My IT boys have been looking for a way to do this for a while. I don't think it is currently possible in a Windows world though I believe a future add-on is coming to deal with that.
|
|
|
BossMan
|
|
Mar 27, 2008, 05:48 AM
|
|
I know you can do it at a machine level by changing the default hardware profile.
As for using GPO it is possible with 2003 enterprise server, pain in the bottom to find though.
|
|
|
Senior Member
|
|
Mar 28, 2008, 08:00 AM
|
|
You can perform this with a GPO and it would NOT disable all other USB devices. By setting the permissions on each local PC to three files:
Set DENY Permissions for Domain Users to:
%SYSTEMROOT%\INF\USBSTOR.INF
%SYSTEMROOT%\INF\USBSTOR.PNF
%SYSTEMROOT%\SYSTEM32\DRIVERS\USBSTOR.SYS
This will have to be added to the Security templates in the Machine part of the GPO.
By denying permissions to these files, the user will not be able run the USB Mass Storage Driver. This will effect ANY storage device connected by USB.
|
|
|
Full Member
|
|
Mar 28, 2008, 09:49 AM
|
|
On my small network clients I use a program called ScriptLogic. It basically a graphical gpo editor but its very easy to use and lets you set lots of things that you wouldn't even have thought to set through GPO, including no allowing usb drives.
|
|
|
Uber Member
|
|
Mar 28, 2008, 10:43 AM
|
|
Added complication: just spoke with them and I see why they haven't implemented anything yet. Disabling all USB ports would be disastrous since many devices use them: mice, cameras, printers, keyboards. Apparently they are testing a solution that is device-aware. If I find out what that is I'll let you know.
|
|
|
Full Member
|
|
Mar 28, 2008, 11:14 AM
|
|
Scriptlogic is device aware. The amount of stuff you can configure with a few mouse clicks is pretty neat and for small offices the overhead that it cuts in administration time is definitely worth the price.
|
|
|
Senior Member
|
|
Apr 1, 2008, 12:01 PM
|
|
ScriptLogic is a fantastic product. The down side for us is that there is a price tag associated with it and I have been able to perform many of the things we need to do with VBScript and GPO's. If I had my choice, ScriptLogic would be in use here as well.
The answer I provided has been in production here for 5 years. There have been no complications with any other devices. It disables the Mass Storage device drivers ONLY.
|
|
|
New Member
|
|
Apr 1, 2008, 01:19 PM
|
|
I agree completely with Chuckhole. Scriptlogic has nice products but can get expensive. Especially for something that is as simple a fix as a reg hack and gpo security setting.
|
|
|
New Member
|
|
Apr 7, 2008, 04:17 AM
|
|
Thanks a lot dear I will try it.
|
|
|
New Member
|
|
May 1, 2008, 09:55 AM
|
|
I just tested the procedure that Chuckhole offered and it didn't work in my environment. Nor did renaming the files because they just get recreated (or at least the .sys file did and that's really the one that matters). The INF, PNF, SYS files are cached somewhere else. Even a reboot didn't affect access.
The other way, the one that worked, is to do it by denying access to the registry key
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
and the string that really affects it is below
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"
You can test this by editing the string value to USBSTOR.SY_
This method allows access to USB devices such as printers, keyboards, mice and other human input devices and peripherals.
|
|
|
New Member
|
|
Jul 29, 2008, 06:41 AM
|
|
+1 to scriptlogic's tool.
We've been using this desktop authority for some years and have been very happy with it.
We used altiris management suite before and we were fully disappointed with their features and uncountable bugs. A
S for desktop authority - it works well for us and it was priced lower (that is also very important).
We successfully configured usb security - we blocked only particular devces like usb sticks and mp3 players for some particular users and groups of users. With desktop authority we were able to do more too.
Now we manage outlook profiles, drive and printer mappings, desktops configuration, patch and software deployment.
It fully replaced all handwritten scripts and other tools that we used before for such purposes.
|
|
|
New Member
|
|
Mar 30, 2009, 12:41 AM
|
|
Don't make such hassles. Just go forward and download the best software for such a task.
It is uHook 2.1 and its awesome ! Because it selectively allows/blocks access to required USB device.
Download it from Dataresolve Technologies - End Point Data Loss Prevention and from my experience it delivers exactly what is claims.
Using it you can also password protect and enable and disable your USB data transfers when required and even keep them under check.
It gives other companies a run for their product because uHook is an excellently built product.
|
|
Question Tools |
Search this Question |
|
|
Add your answer here.
Check out some similar questions!
USB Memory stick
[ 3 Answers ]
I've used up two-thirds of my USB memory stick, but now it does not allow me to add more. The window says something about a write-on protection which I have to lift, but which I cannot find. Thanks.
USB stick is not working anymore
[ 4 Answers ]
Hi all,
Before 2 month I bought USB Stick Sony MicroVault 2GB USM-J. It was normaly working. I never had any problems with stick on any operating system on different computers ( specially XP, and vista).
Yesterday I copied large file and remove disk after several minutes. 10 hours later I...
USB stick not recognized
[ 1 Answers ]
When I connect any USB stick to my PC , first it seems to be detected but afterwards a message 'Found new hardware' pops up, trying to recognize the stick but in vain.
So?!
View more questions
Search
|